Microsoft Intune, SysCtr, OpsMgr, ConfigMgr

Primary Menu

Category Windows Intune

Microsoft has announced new capabilities coming to Microsoft Intune for mobile device and application management.

Microsoft Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping secure corporate information. As a cloud service, we continue to rapidly add new capabilities to Intune, over the next few months we will roll out:

Intune-managed Office mobile apps that enable your workforce to securely access corporate data using the apps they know and love while preventing data leakage by restricting actions such as copy/cut/paste/save as and ‘open-in’ between apps in your managed app ecosystem

App wrapping capabilities that help secure your existing line-of-business applications, integrating these apps into your managed app ecosystem without further development or code changes

It has been a long time that I have worked with Windows Intune. The most recently blog was about Windows Intune this year in January. I had a day off today. That means for me, it’s time for Intune! I was curious about Direct Management, Deploying Windows Apps to a Windows Device and how to register an Android mobile device via Company Portal. So, I begun with Windows Device enrollment, Windows App deploying and Direct Management.

First you have to know about sideloading and deploying Windows App to different versions of Windows 8.1. There are different ways to deploy or install a Windows app. You can use the Windows Store or, you can use a deployment tool like; ConfigMgr, MDT or Windows Intune. Apps which are available in the Windows App Store are automatically signed and validated as trusted by Microsoft and can be deployed by Windows Intune directly out the Windows Store to the devices. When you have to distribute a business-line(LOB) app directly to a user without using the Windows Store, you have to sideload the app. Sideloading means bypass the validation and signing requirements of the Windows Store and makes you responsible for validating and singing them. You cannot sideload an app that has been downloaded from the Windows Store. Due the corporate policy it’s duly that the company doesn’t want to make there LOB apps available in the Windows Store. For them is sideloading the only option to deploy Windows Store apps. Also, they will be responsible for app updates to users. For sideloading you have to use sideload keys. They are available at Microsoft Volume Licensing. More information about sideloading, check this url: http://technet.microsoft.com/en-us/library/dn613831.aspx

Which versions must be sideloading the apps?

NOTE: Unfortunately, I can’t test sideloading. I don’t have the keys for sideloading. Because of that, I could test only a Windows 8.1 Enterprise Update 1 domain joined.

UPDATE: Microsoft has changed its Sideloading process for all Windows 8.1 devices. For Windows Phone 8.1 you can download the .XAP from the Windows Store and put it on your external disk of your mobile device. From the external memory/disk you can install the app. This is also available(via PowerShell, SCCM or Windows Intune) if your Windows 8.1 Pro and Enterprise are domain joined. For devices which are not domain joined (like Windows RT) you have to use Sideloading activation keys. Obtain a Sideloading activation key, see the this site Windows 8 Volume Licensing Guide. Read more about this process at Technet: http://technet.microsoft.com/en-us/library/dn613831.aspx How to use Sideloading Product Activation Key, see this website: http://technet.microsoft.com/en-us/library/dn613835.aspx

Let’s begin with a group policy. We have to enable Allow all trusted app to install in Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment or you can change this registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.

Go to the AppPackages directory, where you got the appx (app file) and select the *.cer.

Verify the imported certificate.

It’s time to deploy the app to a Windows Device.

Download the Company portal from the Windows Store.

The device is ready. You can install your test app from the Company Portal.

That’s all folks. You have a device that is being direct managed by Windows Intune and it is ready to deploy Windows Store apps. If you have any questions or comments about this configuration or about deploying, don’t hesitate to leave a message!

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.

New-MsolFederatedDomain –DomainName <domain> or

Convert-MsolDomainToFederated –DomainName <domain>

To verify: Get-MsolFederationProperty –DomainName <domain>

Add UPN for DirSync:

Installing DirSync:

DirSync needs Framework 3.5 or 4.0

To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.

Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to: manage.microsoft.com

Test:

You can test if SSO is working. Go to http://manage.microsoft.com or http://portal.manage.microsoft.com and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.

How you doing, how you been? It’s a long time that I wrote a blog on my blogsite. I have been very busy at work and also at home. With 2 little children it’s a little bit messy at home, haha. But, this will change today. My blogsite has got a higher priority for the few coming months. I have (must) to blog more about Windows Intune en System Center, especially the integration Windows Intune with SCCM 2012 R2 (MDM/UDM feature). Beneath that I’m working on a corporate image for a company where I work with. A blog about this experience, with DaRt and MDT 2013 integrated, will coming soon.

This blog is not really that great, but I have to start with something 😉

Windows Intune update, Q2/Q3 2014

Microsoft has introduce the new update policy for Windows Intune. The old one what Microsoft managed was releasing a big update of Windows Intune once or twice a year, mostly in Q1 or Q4. The new one is splitting up the update into months, to speed up the release of the features.

A new blog about deploying apps via SCCM. This blog is not for all platforms, but only about Android because I have only an Android Smartphone to test it. The way to manage an Android device is not the same as for iOS or Windows RT/8. Windows Intune doesn’t support direct management for Android, but only for iOS and Windows RT/8. This means you have to connect your android device to Exchange ActiveSync Services (EAS) to manage the device. It could be an on-premise Exchange or the Cloud Exchange like Office365.

But the good part of this blog is that you don’t need or have to use EAS for deploying apps to your android device(s). The only thing you need is the DirSync with your corporate active directory to the Cloud (Windows Azure Active Directory) the users must be familiar in Windows Intune for the log-in the Company Portal.

For iOS and Windows 8/RT is not that easy, because for Windows Modern(Metro) app you have to contact the developer for the APPX file. This is called Sideloading. Sideloading is deploying/installing Windows apps without the Windows Store. For iOS you need 2 files for the app. The files are IPA (the app) and PLIST (a manifest file) For these files you have to contact also the developer.

Ok, we have added the app in SCCM. Now we have to make a User Collection.

Go to Assets and Compliance and right click on User Collections. Choose for Create User Collection.

In de wizard add some information about the collections. Give it a name and the limiting collection is All Users.

Click on Direct Rule. It opens a new screen. Click Next

We have to find some users they are allowed to downloading the app from the Company Portal. I have 1 user and that is Pietje Puk.

Resource class is User Resource, Attribute name is: User Name and Value: pietje% (% is a wildcard) You can also use SQL queries for a dynamic source and adding, but because of a lab env I’m using direct membership.

Select the user.

Click Next

Click Close

The user(s) are/is added. Click Next.

Click next.

The collection is created and ready for use.

Like this:

Now, we have to go back to Software Library and click on Applications. You will see in the right panel your Android App.

Right click on the app and choose for Deploy.

Collection is the new collection Google that we made earlier in this blog.

Click Add for adding a Distribution point.

You will get 2 distribution point if you are using 1 primary site and Windows Intune integration. Select here for the Cloud (manage.microsoft.com). That is Windows Intune.

I start with some small blogs about the problems what I have met during the installation or configuration of System Center products, like SCCM and SCOM. These are maybe handy if you have some troubles with Apps, roles, portal, updates or distribution.

Hereby an error when you want to distribute an App to the Cloud (Windows Intune)

This happens if you want to distribute an App to the Cloud (manage.microsoft.com). I don’t know why it didn’t work, but I had to reinstall the Windows Intune Connector by deleting the subscription in Administration. After that I have rebooted the server. Added the subscription and the Windows Intune Connector.

Microsoft has released a new version for Windows Intune in December 2012. This update supports the new Microsoft’s operating systems, such as Windows Phone 8, RT and Windows 8 (Ent/Pro). The very important feature is the integration with SCCM 2012 (SP1)

This integration helps you to support the clients of Windows Intune, such as mobile devices and notebooks outside the corporate network, from a single location. You will run the scheduled tasks or distributions from the SCCM 2012 console to the managed Windows Intune clients.

I’m busy with a new blog to show you the details of the integration with SCCM 2012. But first I have to configure my lab environment for supporting mobile devices over Active Sync and maybe the Windows Intune Exchange Connector.